It's a TP-Link (router setup was surprisingly straight forward if I am honest).

This maybe not a specific ZA question, but you folks are cleaver and helpful people and maybe able to sort me out, if there is an issue here.

I have the following settings done through the routers config:

Dynamic DHCP: Off (computers use static IP addresses within 192.168.0.2-254 range, with the 255.255.255.0 subnet and 192.168.0.1 gateway [the router's IP] and the DNS is set to my cable providers two DNS addresses 194.168.4.100 and 194.168.8.100.

Broadcast SSID: Off

WiFi Password Security: WPA2-PSK (AES?)

MAC address filtering: Enabled, only the main PC (wired) and netbook (wifi) can access resources.
Additionally, the only MAC that can login to the router setup page is the main PC.

Router Firewall: On

I set ZA (on WinXP PC) to put 192.168.0.1/255.255.255.0 network in "public" zone and the DHCP server (62.253.131.44 Virgin Media ISP) IP address in "public zone".
When I wanted to connect the netbook for file/print sharing, I specifically added it's IP address (in this case 192.168.0.101) to the "trusted" zone.

All is well, and I get internet connectivity on both the Main WinXP PC and Win7Starter netbook.

With the Win7 netbook putting the seen network into Workgroup mode, I can share resources of the XP machine with the Win7 machine (but not other way around).

Now as far as I can tell, I have security as good as it's going to get on the Main XP PC, well of course with Windows XP and ZoneAlarm and a router and no additional security software/devices. I checked with audit my PC and it seems fine, I get "no ports open".

However, should the netbook be running in workgroup mode? I scanned checked the netbook with audit my PC and no ports were open.
Is there a way using WindowsFirewall I can tell it to act more like ZA, and put just my main PC's IP as a trusted zone, and any others from the same 192.168.0.X group still remain in public?
I didn't want to install ZA on the netbook really, because it's only an Atom processor and needs everything to be as light as possible, hence the Windows Firewall, and MS Security Essentials.

I guess I am a bit cheeky asking that here...but a few folks I've dealt with on this forum have been really great help.

First of all congratulation for your new setup. You will see that it is much easier and stable than the ICS!

IMO, there is too much unnecessary paranoia on your setup. In other words, your setup does not help really to improve your security but manly creating network issue and connection issues on the long run.

Example, Broadcast OFF is no security as scanners can see your WIFI even with broadcast OFF. The same applies to MAC address that can be easily spoofed. Just placebo measures.

Main protection to your lan WIFI is WPA2 encryption (AES preferred) and a long random password. If your router offers WPS functionality turn it OFF. Check if you are on latest router firmware, if not, update to it. Change the default password of the router and if you really are on the paranoid side you may want also to change the IP addresses of your router/LAN (e.g. 192.168.8.34, ....), this will help avoiding automated malware to exploit your box. If you are even more paranoid turn OFF UPnP in the router (if ON it will allow your PCs to manipulate the router ports and connections). This is all you need for securing your WIFI/LAN.

Once you have ensured that no one can access your WIFI/router you can safely setup ZA with router 192.168.X.X/255.255.255.0 and DHCP in the TRUSTED zone.

If you have such a "ALL internet" approach your will need at least to add to the trusted zone the DNS servers to ensure a good internet experience and stable connection.

Sorry, I am probably not the right person to help on your restrictions as they provide little added value to your security.

Yeah, absolutely so much easier. More or less plugged in, switched on and had internet on all devices.

For sure, I am aware that MACs can be cloned/spoofed and the "hidden" SSID can be found relatively easily - if someone is determined enough, no network is *entirely* secure if it's open to the air waves or hooked to the internet, but I've gone with the hide it from the casual hijacker approach.

Forgot to mention that I changed the default login for the router from admin/admin to something a whole lot more, hmm, un-guessable.

My WPA2-PSK is not as long as it could be, but is longer than the default 8 characters, and yes it's a non-dictionary alphanumeric character string.

Well, as far as it is, I don't have any issues with the XP PC or the netbook, for accessing the internet. I don't have the DNS servers listed as trusted or public in ZoneAlarm.
I guess I could change the router's default IP (and thus the gateway of network adaptors) for kicks. I won't for the time being.

When I google search networking I get soooooooo much waffle it is insane. I was hoping to stumble upon a site which details simple, easy to follow ways of protecting everything, and then making the compromise to allow sharing of stuff. I haven't found it yet.

I guess it would be nice to find a 'decent' network security/firewall checker site, that tries to break in non-maliciously, and give a report on what to fix. However, I guess that relies on an automated system (sort of like malware might).

Breaking router security via probing is unlikely and not followed by any hacker nowdays. Its too time consuming and difficult as compared to compromise a system with malware distributed via internet web surfing and/or e-mails. Keyword is now cost effectiveness not geeks hacking. You are more than safe on that point.

... and if you are dealing with industrial or policy secrets than not even your setup will be enough ...

Actually the advantage of having SSID visible, is that the casual users and automated system (routers looking for free channles) will be able to see you and avoid the channel used. Resulting into stronger and more stable signal including coverage. Casual hackers can't really do anything with your SSID.

WPA2 password should be larger than 20-25 random characters. As up to now successfull brute force has been limited to around 15-20 characters.

If you will experience difficulties in connections or sudden problems of stablity you will know why. The problem is that if you are going to experiencing this in a months or so it will be difficult for you to link it back to your configuration. Well, keep it in mind.

If you will experience difficulties in connections or sudden problems of stablity you will know why. The problem is that if you are going to experiencing this in a months or so it will be difficult for you to link it back to your configuration. Well, keep it in mind.

That's helpful to know. I must confess I didn't think of SSID concealment as a drawback, but when you put it how you did, I can see that actually broadcasting "yo yo yo y'all, I'm like a network here and junk, and like, don't step on my channels n' jive!" or something like that (it's probably not all that 'street') could be beneficial.

I'll leave it concealed at the moment, but it's going on the same bit of paper for trouble shooting

Well, I plonked ZA free on an old XP machine that I've cleared out and re-installed (1.2GHz AMD, 1GB RAM, Radeon ViVo 64MB!).
Doesn't seem to be a resource hog at all (ForceField 2MB, ISWSVC 8MB, VSMon 21MB and ZATray 5MB, total = <36MB), other than the immediate delay when the desktop comes up, but it's quicker than the main XP machine (2.66GHz C2D, 4GB RAM), which leads to believe that my slower desktop release is due to tons of **** everywhere rather than ZA so much.

I can confirm that ZA free is a damn lot easier to setup than MS firewall. It's simple, dump everything in public zone, then pop the things I want into trusted. Drop trusted level to medium for sharing, and it's done.

Programs will be controlled for their outbound traffic, unlike the MS firewall (without significant time and effort blocking and configig every program...no thanks).
The only thing I have to worry about is if malware did get in, that it *could* propagate through the open "trusted" zone IP addresses - each machine. In other words affecting each machine on the network. I'm gonna have to look into plugging that hole perhaps.

Oh yeah, I suffer from a little security paranoia, but it's not so bad. I use IE for internet banking, but it is closed to ALL other sites, cookies, scripts and such. Only allowed what was needed for my specific banks site.
I run Google Chrome or FireFox when Chrome doesn't like me, and they are run from alternative temporary cache's, and FF clears all it's data after close.

Gonna change that WPA2-PSK to something more...ahem...longer, it's not like I have to enter it every time I wanna connect.

From pressing the power button until being able to run a program 1m 32s, so that's not too shabby at all on a little 1.6GHz Dual Core Atom, with a 5400rpm HDD!
It's plenty enough for me, I've noticed no obvious lag issues or slowdowns, so all I can say is well done ZA developers for making ZA free a usable firewall ona low resource machine.

I got XP to share it's self and to see Win7 - oops forgot to tick "Client for MS networks" on the network device properties. Doh!

All is well.

Another note: I did try a security checking tool from a site, forget where it was, but it was a *safe* trojan, and ZA didn't ask me anything about that, just let it run and gather data from "my documents" folder, and send them to a server. That was odd. I'll have to investigate that.